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Abstract 

Strong attacks against quantum key distribution use quantum mem- 
ories and quantum gates to attack directly the final key. In this paper 
we extend a novel security result recently obtained, to demonstrate 
proofs of security against a wide class of such attacks. To reach this 
goal we calculate information-dependent reduced density matrices, we 
study the geometry of quantum mixed state, and we find bounds on 
the information leaked to an eavesdropper. Our result suggests that 
quantum cryptography is ultimately secure. 

Quantum cryptography (e.g. ||1|, 0) suggests an information secure key 
distribution. It is based on the fact that non-orthogonal quantum states can- 
not be cloned, and any attempt to obtain information regarding these states 
necessarily disturbs them and induces noise. In principle, the legitimate users 
of a quantum key distribution scheme, Alice and Bob, should quit the pro- 
tocol if they notice a noise. However, in real protocols, the channels and 
devices are not perfect, and some errors are inevitable. As long as the rate of 
errors is small, these errors must be accepted and corrected by the legitimate 
users. As a result, the eavesdropper. Eve, can obtain some information on 
the transmitted data, as long as she induces less errors than allowed (e.g., by 
eavesdropping on a small portion of the transmitted particles). Furthermore, 
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she can obtain more information using the error-correction data transmitted 
via a classical channel. 

To overcome these problems, privacy amplification techniques ^ were 
suggested. The simplest technique uses the parity bit of a long string as the 
secret bit (where the parity is zero if the string contains an even number of 
I's and else it is one). Such techniques aim to reduce Eve's information on 
the final key to be exponentially small with the length of the initial string 
(or at least to be much smaller than a single bit). Unfortunately, a proof 
of security must stand against an adversary equipped with any technology 
allowed by the rules of quantum mechanics, and neither of the suggested 
schemes is proven secure (for a different opinion see IQ ) ; their security against 
sophisticated joint attacks, which use quantum memories, quantum gates, 
and delayed measurements to attack directly the final key, is only partially 
established [^, ^, 0]. In this work we extend the results of much further. 

The first hints that privacy amplification might still be effective against 
such attacks were provided by Bennett, Mor and Smolin (BMS) [§]. Suppose 
Eve obtains a binary string of n bits where each bit is presented by non- 
orthogonal polarization states, ipo = ~ (-sina)' "^it^ small 
angle 2a between them. If each bit is measured separately, the optimal 
information on the parity bit of the string, Is{n,a) = (2a;)^"/(21n2), is 
exponentially small with n. By measuring all particles together Eve can gain 
much more information on the parity bit. However, the optimal information, 
iMin^a) = c(^^^a'^'' (with n = 2k and c = 1 for even n, and n = 2A; — 1 
and c = l/ln2 for odd n), is still exponentially small with the length of 
the string. This result (henceforth, the BMS result) suggests that quantum 
cryptography is secure even when Eve knows the specification of the privacy 
amplification technique, since all privacy amplification techniques are based 
on similar principles. 

In real protocols. Eve does not obtain one of two states with small angle 
between them, but she can probe the states sent from Alice to Bob using 
any technique she likes. Thus, the BMS result only provides some intu- 
ition regarding the effectiveness of privacy amplification. To make this intu- 
ition more adequate to realistic quantum key distribution protocols, Biham 
and Mor [0 presented a restricted class of joint attacks, called collective 
attacks, which can use the BMS method and result: (a) Eve attaches a 
separate, uncorrelated probe to each transmitted particle using a translu- 
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cent attack; (b) Eve keeps the probes in a quantum memory till receiving 
all classical data including error- correct ion code and privacy amplification 
data; (c) Eve performs the optimal measurement on her probes in order to 
learn the optimal information on the final key. The underlined constraints on 
the probes distinguish the collective attacks from more general joint attacks, 
and enable analyzing the attacks in terms of the density matrices which Eve 
obtains. 

We concentrate on symmetric collective attacks in which the same translu- 
cent attack is applied to each transmitted particle, and the attack is sym- 
metric to any of the allowed quantum states of each particle. Such an attack 
induces the same probability of error to each transmitted bit. It must be 
weak, or else it would induce a non acceptable error-rate. Thus, the possible 
states of Eve's probe cannot differ much. 

An explicit example of such a symmetric collective attack was presented 
in 1^, together with a proof of security against it. In this example Alice and 
Bob use the two state scheme of Bennett P| (with pure polarization states 
with angle 26 between them). Eve uses, in the first step of the collective 
attack, the (weak) translucent attack without entanglement 0| (which we call 
here the EHPP attack), that leaves each probe in one of two pure states, ipo or 
ipi, with small angle 2a between them. After an error-estimation step, Alice 
and Bob have an n-bit string. Alice and Bob choose the parity bit of that (full 
n-bit) string to be their secret bit, and Alice sends to Bob some parities of 
substrings as the error-correction data^]. In we calculated Eve's density 



matrices for the parity bit while taking into account the error-correction data 
she has [|lT|. Then, we found Eve's best strategy for measuring the probes 



and her optimal mutual information on the parity bit. For large strings and 
small error-rate (thus, small angle a) this information decreases exponentially 
with the length of the string n; e.g., for Hamming codes it is 

/(n,a) < C(n)(2«)("+i)/^ (1) 



with C{n) = in20F V ~'~ "^^^ ^ given error-rate, Pe, the resultant angle 
in the EHPP attack is a = (tan^(26') PeY^'^ , so that the information 
I{n,pe) is of the order of p^'^^'^^^. 

In terms of quantum information theory this result (henceforth, the BM 
result) extends the BMS result to the case where parities of substrings are 
given (error-correction code). For purposes of quantum key distribution, the 
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BM result provides the first security proof against a strong attack. However, 
it is restricted to attacks in wliicli Eve's probes are in a pure state. Unfortu- 
nately, most possible translucent attacks on the two state scheme 0, which 
can be used in the first step of the collective attack, leave each of Eve's probes 
in a mixed state. Also, any translucent attack on the four state scheme 
leaves each probe in a mixed state (at least for two out of the four possible 
states). 

The aim of this work is to apply the BM result to the case of mixed states. 
We first demonstrate that any type of information which can be extracted 
from certain two-dimensional mixed states can be bounded, if the solution 
for pure states is known. Then we explicitly demonstrate, via two examples, 
how to bound Eve's optimal information (for a given induced error-rate). 
We also calculate the (individual bit) information- dependent reduced density 
matrices which are in Eve's hands. 

Any state (density matrix) in 2-dimensional Hilbert space can be written 

as p = ^^f^ so that P = h i ^ ~^ ^ ^^1, with r = (x, y, z) being a 

vector in TZ^, d = {cr^, cry, (t^) the Pauli matrices, and / the unit matrix. In 
this "spin" notations, each state is represented by the corresponding vector 
r. For pure states |r| = 1, and for mixed states |r| < 1. Suppose that x 
and ( are two density matrices, represented by and respectively. It is 
possible to construct the density matrix p = m( + (1 — m)x from the two 
matrices (where < m < 1), and the geometric representation of such a 

density matrix p = ^^'^^ '^ is Tp = rar(^ + (1 — m)r^. Two pure states can 
always be expressed as |$o) = (^f) and |$i) = with c = cos a and 

s = sin a. Using the notations of density matrices ($o = |'^'o)('^'o| etc.) the 

^ ^ ^ j , with z = cos 2a and x = sin 2a 

for p = and x = — sin2Q; for p = 1. If $p is used to describe a bit p, 
the receiver can identify the bit by distinguishing the two pure states. Two 
(not necessarily pure) density matrices pp in two-dimensional Hilbert space, 
with equal determinants (which are equal to |r|) can also be expressed using 
similar form with z = |r|cos2a and x = ±|r|sin2a. For two such mixed 
states let us choose a state Xn, and two pure states $0) "^^i such that 

Po = m^o + {l-m)xn 
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Pi = m$i + (1 - m)x: 



(2) 



Let / be some (positive) measure for the optimal distinguishability of two 
states, so that any operation done on them cannot lead to a distinguishability 
better than /. From the construction of (0), it is clear that any measure for 
optimal distinguishability must find that the two mixed states Pp are not more 
distinguishable than the two pure states $p [that is /($o; "^i) > HPo] Pi)]'- 
Suppose the contrary /($o; '^'i) < HPo'i Pi)- Then, when one receives $p he 
can mix them with Xn and derive a better distinguishability than /($o; "^i)) 
in contradiction to the definition of /($o; '^'i)- 

We can choose any measure of an optimal information carried by these 
systems to describe the distinguishability, and it should satisfy Imixed < Ipure- 
Very complicated types of information can be extracted from such systems, 
as for example, the optimal information on the parity of an n-bit string of 
such quantum bits [§, [7[- In the case [[7|, where parities of substrings are 
given, a solution exists only for pure state with small angles (the BM result), 
and we can now use this known solution to bound the optimal information 
which can be extracted from mixed states which are close to each other. 
Let Perns be the completely mixed state pcms = jl- Also let pi be the pure 
state of spin down in the z direction. Two cases of eq. (^ are useful for our 
purpose: (a) pp = m^p + (1 — m)pcms, where the pure states $p have the 
same angle as pp (see fig. la); (b) pp = m^p + (1 — m)p|, where $p (which 
are uniquely determined) are shown in Fig. lb. The first type of bound is 
useful if Pp have a small angle a (which satisfies tan 2a = x/z), so that 
the angle between the pure states P = a is also small. The second type 
of bound is useful when the 'distance' 2x between the two possible mixed 
states is small (while a might be large). In this case x is small and z positive 
hence the resultant angle (3 between the two pure states is small (following 
tan/5 = tan 25 = < x). Thus, in both cases the angle between the two 
pure states is small so that /(n, /?), eq. (0) with an angle P, provides an upper 
bound on Eve's information on the final key. 

An explicit calculation of Eve's density matrix as a function of Pe must 
be done separately for any suggested attack to obtain I{n,pe). However, 
the fact that Eve is allowed to induce only small error-rate restricts her 
possible transformations at the first stage of the collective attack, hence, 
the two possible states of each of her probes must be largely overlapping 
(for a symmetric attack). Concentrating on two-dimensional probes, this 
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promises us that the second of the two cases above can always be used to 
bound Eve's information to be exponentially small. For certain examples 
- the first case is sufficient, hence the angle between the two possible pure 
states can be calculated from Eve's density matrix directly using (3 = a. 
Let us show two examples in details, to conclude that Eve's information is 
exponentially small with the length of the string. Both examples use the same 
unitary transformation but are applied onto different quantum cryptographic 
schemes, the two state scheme and the four state scheme 

In our examples Eve uses a 2-dimensional probe in an initial state 

She performs a unitary transformation u(J^ \ (with |0) Alice's state), where 
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with = cos 7, etc. She chooses a small angle 7 so that the attack is 
weak. Let Alice's possible initial states be |0p) = in the two state 

scheme, and = "^(ji) (with m = • • • 3) in the four state scheme. The 
corresponding final states are 



/ cos 6* 
± sin 6c^ 
± sin 9s^ 
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respectively. Bob's reduced density matrices (rdms) are calculated from 
by tracing out Eve's particle. This operation is usually denoted 
by Pb = Tr^ where the full formula is given by eq. 5.19 in |]13 

(Pnm = T.^uPnu,mt^5f,u = pni,,mi,) ■ We dcuotc this Operation by pB = 
Tr^ (|\1/)(\I/|)J , where / is two dimensional {6f^u in eq. 5.19). From Bob's 
matrices we find the error-rate, that is, the probability pe that he recognizes 
a wrong bit value. Calculating Eve's density matrix is more tricky; we need 
to take into account the additional information she obtains from the classical 
data, in order to obtain an information-dependent rdms. This is a trivial task 
for the four-state scheme but a rather confusing task in case of the two-state 
scheme. 
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In case of the four state scheme Bob measures his particle in one of the 
basis X (corresponding to m = 0, 2) or y (m = 1, 3). Suppose that Ahce and 

/ 1 + i(s )2 ±lc \ 
Bob use the x basis; Bob's rdms are Pb = \ ^ .i ^ i \2 \^ lead- 



-^2 7 2 2^1) 



ing to an error-rate Pe = sin^(7/2) which is the probabihty that he identifies 
\(j)2) when |0o) is sent. Eve has the same knowledge of the basis, hence her 
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information-dependent rdms are Pe = { 2^2V7y ^ 2 

X = s^, z = (c^)^, and the relevant angles are 2/3 = 2a = (tan)^-'^(s^/c^^) 
(using the first type of bounds). For a small angle 7 we get Pe ~ 7^/4+0(7"^), 
j3 ~ 7/2-1-0(7^), and thus Pe ~ /3^ + 0(/?'^). The information is thus bounded 
by I{n,Pe) < C(n)(4pe)*^"'"'"^)/'* to be exponentially small [using eq. (|I|)]. 

In case of the two-state scheme Bob's rdms are = f ^^^^ i^d) i^i) ,'^^.^<f,^^1n 

\ ±cesec^ [sey{c^y 

Bob chooses one of two possible measurements, Mq^i or Mi^o, with equal 
probability Po^i = Pi->o = 1/2; In case of Mq^i, Bob measures the received 
state to distinguish 0o from its orthogonal state 0o' and finds a conclusive 
result '1' whenever he gets (po ■ (The conclusive result '0' is obtained by re- 
placing and 1 in the above). The error-rate is the probability of identifying 
(pp when (pp is sent, and it is pe = (s6i)^(c0)^[l — c^]^ -|- (s6i)^(s^)^. 

To obtain Eve's density matrices one must take into account all the in- 
formation she possibly has. If one ignores the classical information and 
calculates the standard rdms (as in [0]), then the result is of significant 
importance to quantum information, while it is less relevant to quantum 
cryptography. Recall that Bob keeps only particles identified conclusively 
(as either (pQ or 4>i); Bob informs Alice — and thus Eve — which they are, 
and, as a result. Eve knows that Bob received either 0o' or (pi in his measure- 
ment, and not (pQ or (pi. This fact influences her density matrices, and these 
are not given anymore by the simple tracing formula pe = Tr^ (|^)(^'|)/ . 

In general, information dependent rdms are obtained by replacing I by any 
other positive operator A: 

pe = tt, [mm a] (5) 

(This is a rather obvious conclusion from the discussions prior to eq. 5.19 and 



also from page 289 in sec. 9 in |T3[ ; The correctness of this technique can eas- 



ily be verified |T§). Inourcasep^; = Tr^ (|^)(*|)(i|(/.o')(0o'| + hMM) 
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where the halves resuh from po^i and pi_^o- This tracing technique leads to 




After normalization we get x = 2s.yC0{sg)^ /TrpE and z = — = 
[{cg)'^{sg)'^[l + (c^)^] — {sg)'^{s^Y) /TrpE- The relevant angles are again 2/3 = 
2a = tan~^(x/z). For small angle 7 we get pe ~ sg'^'y'^ + 0(7^), 2/3 ~ 
{se/ceh + 0(7^). Finally we get Pe ^ {sgf{ce)'^{2/3f + 0{(3^) from which 
I{pe,n) can be easily calculated as in the previous example. 

The information available to Eve when she performs any other symmetric 
collective attack with two-dimensional probes can also be calculated using 
our method. Although we do not know to find the optimal attack of that type 
yet, our method can still prove security against it, since there is some (small 
enough) error-rate, such that Eve's probes have small angles between them, 
and thus, our proof can be applied. The second type of bounds is usually 
irrelevant when the attack is given (since Eve's initial state is usually in pure 
state), but it can be very useful for finding the optimal attack, requiring 
only to find the maximal 'distance', 2x, between the two possible states of 
the probe. 

More general collective attacks can use non-symmetric translucent attacks 
and/or can use probes in higher dimensions, in the first step of the collective 
attack. Methods similar to ours can be used for proving security against var- 
ious non-symmetric collective attacks (in 2-dimensions) , but the calculation 
becomes more complicated and is beyond the goals of this work. Our bounds 
cannot be used when Eve uses higher dimensional probes. Indeed, in this 
case the two possible states of each probe are still highly overlapping, and 
the same intuition which holds in our paper shall still hold. However, extend- 
ing the information bounds we found to three or four dimensions might be 
a difficult task (such analysis of dimensions higher than four is not required 
since they cannot help the attacker due to the reasons shown in [0). 

A more crucial issue is the possibility of finding stronger joint attacks 
which are not collective. Let us present the strong argument which is the 
basis for approaching the security problem through the collective attack: by 
the time Eve holds the transmitted particles she has no knowledge of the 
error-correction and privacy amplification techniques to be used by Alice 
and Bob. She even doesn't know which particles will be discarded in the 



8 



error-estimation stage, and how the common bits will be reordered. Thus, 
we conjecture that she cannot gain information by searching or by creating 
correlations between the transmitted particles; she better keep one separate 
probe for each particle, and perform the measurements after obtaining the 
missing information as is done in the collective attacks. Any attempt of 
creating such coherent correlations at the first step of the attack induces 
error, while it cannot lead to an increase in the resultant information; indeed 
it could help Eve if she would guess correctly the required correlations (e.g., 
the final string, from which the parity is calculated), but the probability of 
successful guess is exponentially small. Unfortunately, proving this intuitive 
argument is yet an open problem. 

It is a pleasure for us to thank Asher Peres, William Wootters and Gilles 
Brassard for helpful discussions. 
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Figure 1 



Figure 1: Two ways of constructing the two density matrices Pp from two 
pure states $p and a third state Xn common to both density matrices. In a), 
Xn = Pcms, the completely mixed state. In b), Xn =iz, the "down z" pure 
spin state. 
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